|
|
|
|
| |
By sending a special UDP packet (only 29 bytes long), a remote attacker can cause a Macintosh computer to respond by sending back 1500 bytes of data (effectively causing an amplification of network traffic).
The following article is a summary of an attack that uses this vulnerability, how to prevent it, and where to download a patch that fixes this vulnerability. |
| |
Credit:
The information was provided by: John A. Copeland.
We suggest reading CERT's paper on Distributed-Systems Intruder Tools Workshop:
http://www.cert.org/reports/dsit_workshop.pdf
|
| |
By using what is referred to as a "Mac DoS Attack," it is possible to generate a large amount of ICMP Internet traffic going to a specific target. This scheme can be replicated to attack many different targets, with little chance that the perpetrators will be caught.
These packets are not ordinary; they are "crafted" (which means the data in them is not normal). Usually these packets are sent using the UDP source and destination port numbers of 31790 and 31789 but any unused port can be used as well.
These numbers are normally random between 1024 and 65,565.
Each of these Macintosh computers will be referred to as a Slave (for the sake of explanation), and an attacker computer will be referred as the Control Computer. When an attack is started, the attacker sends trigger packets in a rotation to as many slaves as possible. The source (return) Internet address is forged to be that of the target. The slaves then send a 1500 byte ICMP packet to the target each time they receive a 40-byte trigger packet.
If the attack computer sends 4000 40-byte trigger packets per second (bit rate less than 1.3 Mbps), the slave will send 4000 1500-byte packets to the target (bit rate 48 Mbps.)
|-------------> Slave ------------>|
Control |-------------> Slave ------------>|
Computer ------->|-------------> Slave ------------>|-------> Target
|-------------> Slave ------------>|
| * * * | 4000 1500-byte
4000 40-B pkt/s 100 40-B pkt/s 100 1500-B pkt/s ICMP pkts/s
to each slave from each slave = 48 Mbps
The target organization is cut off from the Internet because its connection, a 1.5 Mbps (million bit per second) T-1 or a 45 Mbps DS-3 digital line is swamped with ICMP packets from too many different sources.
This attack is quite simple and can be easily done, the only two options to stop this attack completely is:
1) Update MacOS machines with the "OT Tuner" patch (which fixes this vulnerability). This patch can be downloaded from:
http://asu.info.apple.com/swupdates.nsf/artnum/n11559
2) The Internet Service Providers (ISPs) must take action to drop long ICMP packets in the backbone networks (any packet longer than 1499 bytes, at the very least.)
|
|
|
|
|
|
|
|
|
|
